10/21/2017 Understanding

21CFR PART-11
AN OVERVIEW OF 21 CFR PART-11 -
COMPILATION
 AN OVERVIEW OF 21 CFR PART-11 -COMPILATION

Computer systems have revolutionized the way that we as everyday people go about our day.
Whether it is a smartphone in our pocket with the latest apps, a tablet device in our lab or a
desktop computer in our office, using technology has, and will continue to have a positive impact
on productivity and efficiency – that’s just a fact.

With the way that we consume information today and the non-flinching adoption of new devices
and technology, it just seems natural that we use these systems to manage records electronically in
place of paper records. As the phrase goes, “with great power, comes great responsibility.” The
same can be said for computerized systems in regulated industries.

In this article we take a deeper look at the FDA 21 CFR Part 11 Regulations, and why they are so
important in today’s life science environment.

THIS OVERVIEW ON 21 CFR PART-11 DIVIDED INTO FEW SECTIONS

SECTION-I: Understanding 21 CFR PART-11

SECTION: II: 21 CFR 11 Compliance Question and Answers

SECTION: III: Quiz on 21CFR Part -11

SECTION: IV: Guidance’s/Regulations on Data Integrity

Page 1 of 11 Varadharaj. Vijayakumar

E-Magazine-“2” 10/21/2017
Section-I:
Understanding 21 CFR Part -11
21 CFR Part 11 is a section in the Code of Federal Regulations (CFR) that sets forth the United States Food and Drug
Administration’s (FDA) guidelines on using electronic records (e-recs) and electronic signatures (esigs).

Part 11, as it’s commonly called, defines the criteria under which electronic records and electronic signatures are
considered to be accurate, authentic, trustworthy, reliable, confidential, and equivalent to paper records and
handwritten signatures on paper. Currently, the scope of this regulation is all FDA program areas.

History of 21 CFR Part 11

In the late 1980s, drug and medical device manufacturers, biotech
companies, and other FDA-regulated industries requested FDA guidelines for the use of e-sigs in paperless batch
record systems. Part 11 was published in 1997. After it was published, however, its enforcement was put on hold as the
result of discussions among industry, contractors, and the FDA concerning the interpretation and implementation of
the regulation.

In August 2003, the FDA published FDA Guidance for Industry Part 11, Electronic Records; Electronic Signatures —
Scope and Application, which describes how Part 11 should be implemented and how the FDA would enforce the
regulation. These guidelines acknowledged that the need for security measures was not the same for every piece of
electronic information. It also introduced the concept of risk analysis and promoted the formal process of risk
assessment to determine appropriate security measures.

The regulation has never been fully enforced, but in July 2010 the FDA announced that it will begin conducting audits
to ensure understanding of and compliance with Part 11 as an element of routine quality inspections.

The FDA also intends to begin rulemaking to revise Part 11 to provide

further clarifications and adjustments consistent with the principles and enforcement policies described in the August
2003 guidance document.

Here’s a short chronological history:

 1991 – Project Launched

 1992 – Advanced Notice
 1994 – Proposed Rule
 1997 - Final Rule
 2000 – Electronic Records
 1999 – Computerized Systems Used in Clinical Trials (CSUCT)
 2003 – “Scope and Application” Guidance
 2004 – Draft Computerized Systems Used in Clinical Trials Guidance
 2007 – Final Guidance Published

The Regulation
Part 11 can be sub divided into the following sections:

Subpart A – General Provisions

 11.1 Scope;

 11.2 Implementation;
Page 2 of 11 Varadharaj. Vijayakumar
E-Magazine-“2” 10/21/2017
  11.3 Definitions;

Subpart B – Electronic Records

11.10 Controls for closed systems;

11.30 Controls for open systems;

11.50 Signature manifestations;

11.70 Signature/record linking.

Subpart C – Electronic Signatures

11.100 General requirements;

11.200 Electronic signature components and controls;

11.300 Controls for identification codes/passwords.

 Electronic Records
 Electronic Signatures

Here are the definitions…

Electronic Record: Any combination of text, graphics, data, audio, or pictorial information represented in digital form
that is created, modified, maintained, archived, retrieved or distributed by a computer.

Electronic Signature: A compilation of any symbol(s) executed to be the legally binding equivalent of an individual’s
handwritten signature.

Handwritten Signature: The scripted name or legal mark of an individual handwritten by that individual and
executed or adopted with the present intention to authenticate a writing in a permanent form.

Digital Signature: An electronic signature based upon cryptographic methods of originator authentication, computed
by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be
verified.

Why do we need it?

By introducing the 21 CFR Part 11 rule, the FDA have essentially enabled the Life Science community and other
FDA regulated industries to streamline business processes, reduce turnaround time and costs, all by establishing
standard criteria for the use of electronic records and signatures. If it were not for this rule, we would be unable to

Page 3 of 11 Varadharaj. Vijayakumar

E-Magazine-“2” 10/21/2017
manage records and other content electronically, significantly increasing the risk of human errors, increasing
operational costs and increasing time-to-market for pharmaceutical products.

What you need to think about

There are three main areas in which FDA regulated companies must look at as primary areas of focus when dealing
with 21 CFR Part 11:

Features of Your System - In accordance with 21 CFR Part 11 there are a range of features that you are required to
have in place when implementing a computer system to manage electronic records and processes. Assurances for audit
trail functionality, electronic signatures, security and data integrity, records retention and file formats are to name but a
few.

Standard Operating Procedures - As with all regulated industries, the companies that operate within them use
Standard Operating Procedures (SOP’s) to govern and describe how they are to do things. Currently in accordance
with Part 11, there are around 9 IT SOP’s needed to address the IT Infrastructure requirements.

System Validation – When implementing an electronic system for the use in regulated activities, you have to ensure
that you document that the electronic system is fit for its intended use. In other words, demonstrate that your system
does what it should do. You must also have controls in place that allow you to identify when the system doesn’t
function as per its intended use. Here you should be utilizing your SOP’s and industry best practices (such as outlined
in GAMP 5) to facilitate the validation process.

An overview of the absolutely essential SOPs that you will need to have in place to meet the
procedural control requirements of 21 CFR Part 11 Electronic Records.

1. System Maintenance SOP: The system maintenance SOP should describe the controls that you have in place to
ensure that appropriate maintenance on your system is carried out in a controlled way, and on a regular basis.
Typically you should look to include a maintenance schedule, with links to your Change Control SOP. Your
System Maintenance SOP should describe the system monitoring procedures that you have in place, as well as a
clear definition of your process for decommissioning systems. Make sure you outline your approach to ensure the
integrity of any data contained within the systems.
2. Physical Security SOP: Physical security focuses on controls that you have in place to secure access to your
premises. These controls could include things like management of key cards and codes, the management of your
building alarm system and intrusion control etc. Physical security should also reference the environmental
controls in place to protect your data installations; such as fire detection and suppression, temperature and
humidity controls and so on.

Page 4 of 11 Varadharaj. Vijayakumar

E-Magazine-“2” 10/21/2017
3. Logical Security SOP: Logical security is a key area of focus for 21 CFR Part 11 environments. This SOP should
detail how access to the systems are managed, and include links to any policies that relate to passwords such as;
password format or ageing, technical controls to improve security such as password protected screen savers. Other
logical security mechanisms that allow you to ensure data traceability and custody should also be described in the
Logical Security SOP. Finally, systems such as VPNs, Firewalls and virus protection applications should also be
managed through this procedure.
4. Incident and Problem Management SOP: This SOP should provide you with a process for managing any
incidents or problems that are experienced with regulated computerized systems. Typically you will need to
describe how incidents or problems are recorded, analyzed and resolved. If you are using a bug management
system it would be governed by this SOP. You should also look at covering the communication mechanisms that
need to be in place.
5. System Change Control SOP: This is one of the most important activities when managing regulated systems and
also one of the areas that can present the most problems. The system change control procedure should be used
when changing any component of a computerized system. The change control procedure will typically use a form
to allow the documentation of the change control. This form is also an important communication tool. The
process should first require that the change rationale and steps be documented. An impact assessment must then
be done to determine what else in the system could be impacted. Any revalidation should also be documented
including any test scripts to be executed and evidence to produce. It’s important to define a roll back path. Finally
the review and approval process both pre and post execution should be clearly defined.
6. Configuration Management SOP: Configuration management should govern how regulated systems configuration
should be managed and documented. This SOP is used often in conjunction with change control. Configuration
changes typically require verification rather than revalidation. The configuration management procedure should
discuss how configuration should be documented and how documentation should be versioned and maintained.
It is also important to define a standard process for review and approval of configuration changes
7. Disaster Recovery SOP: Ensuring that data is properly protected and that we are able to recover from a disaster in
a timely and controlled manner is imperative when dealing with regulated content and systems. The Disaster
Recovery SOP should clearly define what is considered a disaster and provide an overview of what should be
contained within the disaster recovery plan. The plan will typically be a separate document and describe the
different systems that fall under the plan, how to bring systems up, communication procedures, escalation and
prioritization of recovery, supplier and customer contact information and the disaster recovery team composition.
This SOP should also have provisions for periodic testing of the disaster recovery plan and how this should be
documented.
8. Electronic Signature Policy SOP: 21 CFR Part 11 electronic signatures require that individuals sign a non-
repudiation form attesting to the fact that their electronic signature is a legally binding equivalent of their hand
written signature. This means that they will need to be trained on what an electronic signature is and when it can

Page 5 of 11 Varadharaj. Vijayakumar

E-Magazine-“2” 10/21/2017
 be applied. This is typically defined in the electronic signature policy. The policy will also govern the non-
repudiation form and the process of provisioning electronic signatures.
9. Backup and Restoration SOP: The final SOP and possibly the most important one is Backup and Restoration.
The procedure should outline the schema and methods that you use to properly protect your data and systems.
You should look to define how backup jobs are created, maintained and verified. A restoration request process
will also be defined and should be tested periodically to ensure that you can still restore your data. Finally, long-
term archiving of data should also be addressed in this SOP.

Page 6 of 11 Varadharaj. Vijayakumar

E-Magazine-“2” 10/21/2017
Section-II
21 CFR 11 Compliance Question and Answers

Q: What are the requirements of 21 CFR 11?

A: 21 CFR 11 requires that closed computer systems must have a collection of technological and procedural controls
to protect data within the system. Open computer systems must also include controls to ensure that all records are
authentic, incorruptible, and (where applicable) confidential.

Q: What computer systems must be compliant with 21 CFR 11?

A: All computer systems which store data which is used to make Quality decisions or data which will be reported to
the FDA must be compliant with 21 CFR 11. In laboratory situations, this includes any laboratory results used to
determine quality, safety, strength, efficacy, or purity. In clinical environments, this includes all data to be reported as
part of the clinical trial used to determine quality, safety, or efficacy. In manufacturing environments, this includes all
decisions related to product release and product quality.

Q: What is computer system validation?

A: Validation is a systematic documentation of system requirements, combined with documented testing,
demonstrating that the computer system meets the documented requirements. It is the first requirement identified in
21 CFR 11 for compliance. Validation requires that the System Owner maintain the collection of validation
documents, including Requirement Specifications and Testing Protocols.

Q: What is accurate record generation?

A: Accurate record generation means that records entered into the system must be completely retrievable without
unexpected alteration or unrecorded changes. This is generally tested by verifying that records entered into the system
must be accurately displayed and accurately exported from the system.

Q: How must records be protected?

A: Electronic records must not be corrupted and must be readily accessible throughout the record retention period.
This is usually performed through a combination of technological and procedural controls.

Q: What is limited system access?

A: System owners must demonstrate that they know who is accessing and altering their system data. When controlled
technologically, this is commonly demonstrated by requiring all users have unique user IDs along with passwords to
enter the system.

Q: What is an audit trail?

A: An audit trail is an internal log in a program that records all changes to system data. This is tested by demonstrating
that all changes made to data are recorded to the audit trail.

Q: What are operational system checks?

A: Operational system checks enforce sequencing of critical system functionality. This is demonstrated by showing that
business-defined workflows must be followed. For example, data must be entered before it can be reviewed.

Q: What are device checks?

A: Device checks are tests to ensure the validity of data inputs and operational instructions. Generally speaking, Ofni
Systems does not suggest testing keyboards, mice, etc., because these input devices are implicitly tested throughout
other testing. However, if particular input devices (optical scanners, laboratory equipment, etc.) these devices should
be tested to ensure the accuracy of system inputs.
Page 7 of 11 Varadharaj. Vijayakumar
E-Magazine-“2” 10/21/2017
Q: What training requirements are required for 21 CFR 11 compliant programs?
A: Users must be documented to have the education, training, and experience to use the computer system. Typically
training can be covered by your company training procedures.

Q: What is a policy of responsibility for using electronic signatures?

A: Users must state that they are aware that they are responsible for all data they enter or edit in a system. This can be
accomplished technologically through accepting conditions upon signing into the system or procedurally by
documenting this responsibility as part of training.

Q: What documentation requirements are required for 21 CFR 11 compliant programs?

A: Documentation must exist which defines system operations and maintenance. Typically these requirements are met
by company document control procedures.

Q: What are the requirements for electronic signatures?

A: All electronic signatures must:

> Include the printed name of the signer, the date/time the signature was applied, and the meaning of the electronic
signature.

> Be included in human readable form of the record. Electronic signatures must not be separable from their record.
> Must be unique to a single user and not used by anyone else.
> Can use biometrics to uniquely identify the user. If biometrics are not used, they need at least two distinct identifiers
(for example, the user ID and a secret password).

Q: Does 21 CFR 11 have any requirements for passwords or identification codes?

A: Yes. Procedural controls should exists to ensure that:

> No two individuals have the same user ID and password.

> Passwords are periodically checked and expire.
> Loss management procedures exists to deauthorize lost, stolen, or missing passwords.

Page 8 of 11 Varadharaj. Vijayakumar

E-Magazine-“2” 10/21/2017
Section-III
Quiz on 21CFR Part -11
1. Part 11 is the part of 21 CFR that deals with electronic records & electronic signatures.
True OR False

2. Main purpose of 21 CFR part 11 is,

a) To reduce the risk of, records being deliberately manipulated to falsify results
b) To prevent unauthorized access to data.
c) To ensure trace ability of records to their originator or owner.
d) All of the above

3. Validation should include application-specific functions as well as functions related to Part 11, electronic
audit trail and electronic signatures
True OR False

4. As per Part 11, the procedures are not require to limit the access to authorized users
True OR False

5. Part 11 must be applied to keep electronic records even it is older than 1997
True OR False

6. If you use a computer system to satisfy any predicate rule requirement – 21 CFR Part 11 will apply
True OR False

7. Email software and Microsoft office are the best example of Open system
True OR False

8. Each electronic signature shall be unique to one individual and shall be reused by, or reassigned to, anyone
else.
True OR False

9. E-Signature is legally binding

True OR False

10. Audit Trail Records needs to include

a) Date & Time Stamp
b) Node of Origination
c) Operator Name
d) All of the above

11. Enforce Strict Security Measures and Ensure Data Transfer Is Secure are the key factors for 21 CFR Part 11
compliance
True OR False

Page 9 of 11 Varadharaj. Vijayakumar

E-Magazine-“2” 10/21/2017
Answers:
1. True
2. All the above
3. True
4. False
5. False
6. True
7. False
8. False
9. True
10. All the above
11. True

Page 10 of 11 Varadharaj. Vijayakumar

E-Magazine-“2” 10/21/2017
Section-IV
Guidance’s/Regulations on Data Integrity:
MHRA:
MHRA GxP Data Integrity Definitions and Guidance for Industry”, July 2016 (Draft).
USFDA:
US FDA, “Guidance for Industry: Data Integrity and Compliance with CGMP Guidance for
Industry,” April 2016 (Draft)
WHO:
WHO, Annex 5, Technical Report Series; No 996 “Guidance on Good Data and Record
Management Practices,” May 2016
TGA:
TGA, Hart, S., "Data Integrity: TGA Expectations," paper presented at PDA conference July 2015,
https://www.tga.gov.au/tga-presentation-given-pda-conference-july-2015. (Not a TGA guidance
document. It is a presentation by S. Hart covering the expectations by TGA). TGA’s Basic Data
Integrity expectations: PIC/S Guide PE009-8 (Annex 11 Rev 1992); Australian Code GMP human
blood, blood components, human tissues and human cellular therapy products, Section 400-415
Documentation; Section 1000-1017 Computers; ISO 12485 Documentation.
EMA Annex 11:
Additional guidelines - EMA Q&A: GMP Data Integrity, August 2016.
21 CFR Part 11:
US FDA, 21 CFR Part 11, "Electronic Records; Electronic Signatures; Final Rule." Federal Register
Vol. 62, No. 54, 13429, March 1997
PIC/S PI 041-1 (Draft 2):
PI 041 1 (Draft 2), Guidance on Data Integrity
CFDA:
CFDA-Drug-Data-Management-Standard (Draft)

Page 11 of 11 Varadharaj. Vijayakumar

E-Magazine-“2” 10/21/2017